Access and Feeds

Open Source: Tracking Down Bugs in OS When Things Go Wrong

By Dick Weisinger

Google is a heavy user of Open Source software, hence they are keenly interested in tracking any bugs or vulnerabilities that might get introduced into Open Source code as updates to code in OS projects are made.

Google created a tool called Open Source Vulnerabilities (OSV) which they launched in February. It uses a database of Open Source code updates and can be queried to help determine exactly which code changes introduced problems into the OS project.

OSV makes querying for open source project vulnerabilities easier and more accurate. It also makes it easier to be able to gather information to include for publishing information about vulnerabilities.

Google Security Team members explained in a blog that “OSV aims to simplify the vulnerability reporting process for an open source package maintainer by accurately determining the list of affected versions and commits. This requires providing both the commits that introduce and fix the bugs. If that information is not available, OSV requires providing a reproduction test case and steps to generate an application build, and then it performs bisection to find these commits in an automated fashion. OSV takes care of the rest of the analysis to figure out impacted commit ranges (accounting for cherry picks) and versions/tags.”

Google Security Team Blog: Launching OSV – Better vulnerability triage for open source

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Leave a Reply

Your email address will not be published.